attacks and counter defense mechanisms for cyber-physical systems 1 taha hassan lulu wang cs 5214...
DESCRIPTION
Survivability: System Model ●‘Smart’ grid conceptual model ●Centralized management nodes ●Sensors ●Distributed control nodes ●Actuators ●Communications Links 3TRANSCRIPT
Attacks and Counter Defense Mechanisms for Cyber-Physical Systems
1
Taha HassanLulu WangCS 5214 Fall 2015
Overview
● Survivability of cyber-physical systems● Failure types (attrition, pervasion, exfiltration)● Case Study: Reliability in the electrical grid● Optimal design conditions and tradeoffs
2
Survivability: System Model
● ‘Smart’ grid conceptual model
● Centralized management nodes
● Sensors● Distributed control nodes● Actuators● Communications Links
3
Survivability: Failure Types
4
● Attrition failure (direct mission impact)● Pervasion failure (direct means to damage)● Exfiltration failure (secretion of grid data to
instrument attack)
Survivability: Attacker Behavior
5
● Surveilling attacker ● Long-term operations (trade secrets analogy)● CM nodes, sensors, comm. links● Need for discretion
● Destructive attacker ● Short-term disruption● Actuators, CM nodes, control nodes● Discretion not a concern
Survivability: Countermeasures
6
● Intrusion detection ● P fnx, P fpx
● Optimal detection interval T IDSX ● Data leak rate control
● T TX,T sensing ● Redundancy
● Redundancy factor αx
● INITx = MINx ✕ αx
7
● System behavior description based on SPN modeling
● Three devices represented by nodes: S,C,ASensors, Control nodes and Actuators
Performance Model
8
PATTRIT=1, sys. failure, too many C and A been evicted & compromised
PLEAK=1, sys. failure, compromised S & C exfiltrating too much data
PPERVADE=1, sys. failure, a high ratio of uncompromised C & A been compromised
Performance Model
9
Performance Model
Performance Model
10
Performance Model
System initiation
INITx nodes
x ∈{S,C,A}, for sensors, control nodes, and actuators, respectively.
all nodes are uncompromised
place PGOODx holds tokens
one token representing one nodes
11
Performance Model: The first event
Transitions TCPx model this event:
attackerUncompromised nodes compromised
TCPx: attacker compromises a device
The time of this process:a random variable exponentially distributed
Node: from good to malicious Place: node been moved from PGOODx to PBADx
12
Performance Model: The second event
The sys. 9-state representation (PATTRIT, PGOODS, PGOODC, PGOODA, PBADS,PBADC, PBADA, PLEAK, PPERVADE)If in state (0, ns, nc, na, 0, 0, 0, 0, 0), an uncompromised sensor node is compromised, a token will flow from PGOODS to PBADS, and the resulting state is (0, ns − 1, nc, na, 1, 0, 0, 0, 0). 13
Performance Model: The second event
Transitions TFPx model this event:Uncompromised nodes may be incorrectly evicted
TFPx: the detection sys. IDS falsely detects a node
Node: an uncompromised node be removed from place PGOODx
Place: remove from PGOODx
14
Performance Model: The third event
15
The sys. 9-state representation (PATTRIT, PGOODS, PGOODC, PGOODA, PBADS,PBADC, PBADA, PLEAK, PPERVADE)If in state (0, ns, nc, na, 0, 0, 0, 0, 0) the IDS misdetects and evicts an uncompromised actuator, a token will flow from PGOODA, and the resulting state is (0, ns, nc, na − 1, 0, 0, 0, 0, 0).
Performance Model: The third event
Transitions TIDx model this event:compromised nodes be correctly evicted
TIDx: IDS correctedly detectes a compromised node as compromised
Node: The # of unevicted compromised nodes - 1
Place: one token in place PBADx is to be removed
16
Performance Model: The fourth event
17
The sys. 9-state representation (PATTRIT, PGOODS, PGOODC, PGOODA, PBADS,PBADC, PBADA, PLEAK, PPERVADE)If in state (0, ns, nc−1, na, 0, 1, 0, 0, 0) the IDS detects and evicts a compromised control node, a token will flow from PBADC, and the resulting state is (0, ns, nc − 1, na, 0, 0, 0, 0, 0).
Performance Model: The fourth event
Performance Model: The fifth event
TATTRITx models the sys. attrition failure eventTATTRITx: fired by EATTRITx, uncompromised control node count is lesser than the minimum count
Node:one token set in place PATTRIT
Place: PATTRIT
When TATTRITx is enabled:the attrition failure condition is true enabling function returns true
18
Performance Model: The fifth event
19
Table V lists the enabling functions governing the firing of TATTRITx.
Performance Model: The fifth event
20
The sys. 9-state representation (PATTRIT, PGOODS, PGOODC, PGOODA, PBADS, PBADC, PBADA, PLEAK, PPERVADE)TCPx: a token been moved from PGOODx to PBADx TFPx: remove a token from PGOODx
Performance Model: The sixth event
TPERVADEx models this sys. pervasion failure eventTPERVADEx: fired by EPERVADEx, Byzantine failure condition applied to nodes
Node: when nodes from PGOODx transimit to PBADx, when nodes are evicted from PGOODx
Place: PERVADE set 1
Byzantine failure: when at least 1/3 of the control nodes or actuators are compromised (PBADx) , the system suffers from a byzantine failure.
21
Performance Model: The sixth event
22
The enabling functions of TPERVADEx with x {C,A} are defined in TableV governing the firing of ∈TPERVADEx.
Performance Model: The sixth event
23
The sys. 9-state representation (PATTRIT, PGOODS, PGOODC, PGOODA, PBADS, PBADC, PBADA, PLEAK, PPERVADE)TCPx: a token been moved from PGOODx to PBADx PPERVADE: placed by 1
Performance Model: The seventh event
TLEAKx models this system exfiltration failure event
TLEAKx: attacker secretes enough data about victim sensor/control node
Node: Bad nodes (odes from PBADx) transmit the data out of the system, criminals hack the system and steal the intelligence away
Place: PLEAK set 1
countermeasures: data leak rate controls 24
Performance Model: The seventh event
25
The sys. 9-state representation (PATTRIT, PGOODS, PGOODC, PGOODA, PBADS, PBADC, PBADA, PLEAK, PPERVADE)PLEAK: placed by 1
Performance Analysis
● Model Parameterization● Results
26
Model Parameterization
27
Model Parameterization
The parameters are from input and design parameters
Design parameter is one that the system manager can choose.Input parameter is one that the operating environment dictates. λT means the transition rate of transition T
28
Model Parameterization
29
Model Parameterization: Physical explanations
30
TCPx: Attracker compromises a device|PGOODx| : the # of uncompromised nodes of device type xλx : the per-node compromise rate for device type x.
The more uncompromised devices, the more compromise opportunities
Model Parameterization: Physical explanations
31
TIDx: IDS ( IDS, intrusion detection system) detects a compromised device : rate that bad nodes are detected and forced to leave the place correctly
|PBADx| : the # of compromised nodesPfnx : the false negative probability ( : the IDS detection interval
In every TIDSx interval,1−Pfnx = probability (a bad node be correctly identified as a bad node)
Model Parameterization: Physical explanations
32
TLEAKS: attacker secretes a substantial amount of victim sensor dataλTLEAKS: the rate that TLEAKS transition happensthe first term is for a compromised sensor node to rotate in for reporting sensing datathe second term is for the rate at which sensing reporting occursthe third term is for the maximum number of leaks the system can tolerate before an exfiltration failure occursMAXLEAKS : an input parameter, the maximum number of leaks the system can tolerate
Model Parameterization: Physical explanations
33
TLEAKC: attacker secretes a substantial amount of victim control node dataTTX : the data transmission rate per node allowable
MAXLEAKC : an input parameter, the maximum data amount leaked beyond which an exfiltration failure occurs
Model Parameterization: Physical explanations
34
TFPx: IDS falsely detects a device: the rate that good nodes suffer from false positives
|PGOODx| : the # of uncompromised nodes
: the false positive probability that a good node of type x will be misidentified as a bad node
: the IDS detection interval
Results: Effects of detection interval T IDSX
35
● P fn < P fp : Mislabeling healthy nodes more probable so lesser T IDSx implies faster monotonic failure
● Exfiltration and pervasion failures depend on the ‘bad node ratio’, hence an optimal MTTF at optimal node ratio
Results: Effects of false pos./neg. prob. T IDSX
36
● P fp : Rate of mislabeling healthy nodes more probable so lesser T IDSx implies faster monotonic failure
● Similar trends for P fn. MTTF is less sensitive to it though.
Results: Effects of redundancy factor (αc) T IDSX
37
● Attrition and pervasion: redundancy improves MTTF (bad node ratio decreases with redundancy)
● Exfiltration: redundancy limits MTTF (Note that transition rate for TLEAKC changes with num_bad_nodes, for TLEAKS, it’s bad_node_ratio)
Questions.
38